search

mozilla / mozilla-django-oidc

A django OpenID Connect library
https://mozilla-django-oidc.readthedocs.io
Mozilla Public License 2.0
444 stars 166 forks source link

integration with keycloak #505

Open OverdueCEO opened 11 months ago

OverdueCEO commented 11 months ago 
Django  4.2.3
Python  3.11.3
mozilla-django-oidc 3.0.0
Keycloak 22.0.1

I set all settings that were described in the documentation and no matter what i cannot get past callback. When using HS256 i get JWS Token verification failed, when using RS256 i get this:

Request Method: GET
Request URL: http://127.0.0.1:8000/oidc/callback/?state=pbjdaia5shQsHoZ79011F1nY6SJbTtEr&session_state=5b928b89-2a00-4248-9ffd-de1c66d0be5f&code=79096ae7-d253-4e05-baa9-33560a44d37f.5b928b89-2a00-4248-9ffd-de1c66d0be5f.f615e064-2a51-4371-aa9e-00f65d81148d

Django Version: 4.2.3
Python Version: 3.11.3
Installed Applications:
['django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'pages.apps.PagesConfig',
 'mozilla_django_oidc']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'mozilla_django_oidc.middleware.SessionRefresh']

Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
               ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/django/views/generic/base.py", line 104, in view
    return self.dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/django/views/generic/base.py", line 143, in dispatch
    return handler(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/mozilla_django_oidc/views.py", line 127, in get
    self.user = auth.authenticate(**kwargs)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
    return func(*func_args, **func_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
    user = backend.authenticate(request, **credentials)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/mozilla_django_oidc/auth.py", line 288, in authenticate
    payload = self.verify_token(id_token, nonce=nonce)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/mozilla_django_oidc/auth.py", line 202, in verify_token
    payload_data = self.get_payload_data(token, key)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/mozilla_django_oidc/auth.py", line 187, in get_payload_data
    return self._verify_jws(token, key)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/mozilla_django_oidc/auth.py", line 141, in _verify_jws
    if not jws.verify(jwk):
           ^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/josepy/jws.py", line 285, in verify
    return all(sig.verify(self.payload, key) for sig in self.signatures)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/josepy/jws.py", line 285, in <genexpr>
    return all(sig.verify(self.payload, key) for sig in self.signatures)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/josepy/jws.py", line 214, in verify
    return self.combined.alg.verify(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/overdue/.local/lib/python3.11/site-packages/josepy/jwa.py", line 118, in verify
    key.verify(sig, msg, self.padding, self.hash)
    ^^^^^^^^^^

Exception Type: AttributeError at /oidc/callback/
Exception Value: 'bytes' object has no attribute 'verify'

Do I need to downgrade some packages maybe ?

JulienFS commented 1 month ago

'bytes' object has no attribute 'verify' usually means that the key was not parsed properly and ended being a JWKOct (instead of a JWKRSA or JWKEC key).

Are you using the OIDC_RP_IDP_SIGN_KEY parameter ? If you do be sure to provide a proper PEM format, with the header, the 64 char width, the footer and the necessary line feeds, like :

-----BEGIN RSA PUBLIC KEY-----
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-----END RSA PUBLIC KEY-----

It's quite common to loose the line feeds when dealing with envs and settings.